Required fields are in bold.
Cloud Firewall logs show traffic that has been handled by network tunnels. Reference: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-cloud-firewall-logs​
Column | Type | Description |
|
| The timestamp of the request transaction in UTC (2015-01-16 17:48:41). |
|
| The unique identity of the network tunnel. |
|
| The name of the network tunnel. |
|
| The type of identity that made the request. Should always be 'CDFW Tunnel Device'. |
|
| The direction of the packet. It is destined either towards the internet or to the customer's network. |
|
| The actual IP protocol of the traffic. It could be TCP, UDP, ICMP. |
|
| The size of the packet that Umbrella CDFW received. |
|
| The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address. |
|
| The internal port number of the user-generated traffic towards the CDFW. |
|
| The destination IP address of the user-generated traffic towards the CDFW. |
|
| The destination port number of the user-generated traffic towards the CDFW. |
|
| The name of the Umbrella Data Center that processed the user-generated traffic. |
|
| The ID of the rule that processed the user traffic. |
|
| The final verdict whether to allow or block the traffic based on the rule. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
DNS logs show traffic that has reached our DNS resolvers. Reference: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-dns-logs​
Column | Type | Description |
|
| When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone. |
|
| The first identity that matched the request. |
|
| All identities associated with this request. |
|
| The internal IP address that made the request. |
|
| The external IP address that made the request. |
|
| Whether the request was allowed or blocked. |
|
| The type of DNS request that was made. For more information, see Common DNS Request Types. |
|
| The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). |
|
| The domain that was requested. |
|
| The security or content categories that the destination matches. |
|
| The first identity type matched with this request. Available in version 3 and above. |
|
| The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. |
|
| The categories that resulted in the destination being blocked. Available in version 4 and above. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
IP logs show traffic that has been handled by the IP Layer Enforcement feature. Reference: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-ip-logs​
Column | Type | Description |
|
| The timestamp of the request transaction in UTC (2015-01-16 17:48:41). |
|
| The first identity that matched the request. |
|
| The IP of the computer making the request. |
|
| The port the request was made on. |
|
| The destination IP requested. |
|
| The destination port the request was made on. |
|
| Which security categories, if any, matched against the destination IP address/port requested. |
|
| The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Proxy logs show traffic that has passed through the Umbrella Secure Web Gateway or the Selective Proxy. Reference: https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning#section-proxy-logs​
Column | Type | Description |
|
| The timestamp of the request transaction in UTC (2015-01-16 17:48:41). |
|
| The first identity that matched the request. |
|
| Which identities, in order of granularity, made the request through the intelligent proxy. |
|
| The internal IP address of the computer making the request. |
|
| The egress IP address of the network where the request originated. |
|
| The destination IP address of the request. |
|
| The type of web content, typically text/html. |
|
| Whether the destination was blocked or allowed. |
|
| The URL requested. |
|
| The referring domain or URL. |
|
| The browser agent that made the request. |
|
| The HTTP status code; should always be 200 or 201. |
|
| Request size in bytes. |
|
| Response size in bytes. |
|
| Response body size in bytes. |
|
| SHA256 hex digest of the response content. |
|
| The security categories for this request, such as Malware. |
|
| The detection name according to the antivirus engine used in file inspection. |
|
| A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. |
|
| The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. |
|
| If Malicious, the name of the malware according to AMP. |
|
| The score of the malware from AMP. This field is not currently used and will be blank. |
|
| The type of identity that made the request. For example, Roaming Computer, Network, and so on. |
|
| The categories that resulted in the destination being blocked. Available in version 4 and above. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |